Former Con Man Helps Feds Thwart Alleged ATM Hacking Spree

A North Carolina grocery worker is being held without bail in Houston on attempted computer hacking charges after inadvertently partnering with an undercover FBI agent in an alleged citywide ATM-reprogramming caper.

Thor Alexander Morris, 19, was arrested at a Houston flea market last month after trying a default administrative passcode on a Tranax Mini-Bank ATM there, according to the FBI. Morris, who was wearing a wig to disguise his appearance, allegedly hoped to reprogram the machine to think it was loaded with $1 bills instead of $20 bills. That would let him pull $8,000 in cash with $400 in withdrawals from a prepaid debit card.

Details of the federal case are laid out in a criminal complaint (.pdf) filed in Houston in late April. Morris allegedly hoped to hit more than 30 Houston ATMs and clear at least $250,000. But he made the mistake of approaching a reformed Texas con man for help with the scheme, who helped the feds set up a sting operation.

Cash-machine–reprogramming scams were first noticed in the financial industry in 2005, and surfaced publicly in 2006 when a cyber thief was caught on video looting an ATM at a Virginia gas station. Threat Level later confirmed that default administrative passcodes for retail ATMs manufactured by Tranax and Triton were printed in owner’s manuals easily found online.

An administrative passcode opens hidden functions on common models of retail ATMs, like this screen on the Tranax Mini-Bank that sets the denomination of bills the machine thinks it’s dispensing.

Since then, both Tranax and Triton have updated the firmware on new machines to force owners to change the passcodes when they first boot the ATM. But the scam still pops up from time to time, and has resulted in a smattering of arrests.

Morris ran a website that sold replicas of American Express Centurion Cards. He allegedly planned his ATM attacks after meeting a former Houston-area con artist named Brian Rhett Martin through the site. An old-school hacker type, Martin — aka “Iceman” and “Forcible Entry” — made news in the wake of the 1995 Oklahoma City Bombing when he impersonated a federal agent to finagle an official helicopter ride over the ruins of the Alfred P. Murrah federal building, then sold the video to a French TV program. He went back to jail in 2004 for a new fraud scheme, and had just been released from a halfway house when Morris began chatting him up.

Morris was apparently excited to hear about Martin’s past, and allegedly offered Martin a 50-50 partnership in his ATM caper. Martin’s job would be to compile a map of Tranax cash machine locations in Houston — Morris suggested slipping a GPS tracking device on an ATM service truck.

Unfortunately for Morris, Martin had gone straight. Martin saved chat logs and Facebook photos of Morris, and turned it all over to the FBI. Then he introduced Morris to an undercover agent posing as a local hood named “Leo”.

Brian Rhett Martin, 34, is a former con artist who helped the FBI thwart an alleged citywide ATM hacking plan

When Morris flew into Houston, “Leo” met him at the airport and drove him to a nearby Walmart, where Morris bought a Green Dot prepaid debit card loaded with $400. Morris and the FBI agent then went war-driving for an open Wi-Fi access point, which Morris used to activate the card online using the name “Barack Obama.”

On the drive to his first cash machine, Morris bragged to the undercover agent that he’d already conducted ATM hacking trips to Tennessee, Florida, South Carolina and Virginia, and hit machines in his home town of Jacksonville. He also boasted about other supposed exploits as a “hacker”, claiming he’d stolen credit card information from the Food Lion where he worked, and had targeted the Navy Federal Credit Union and Walmart in a manner unspecified in the criminal complaint.

When he was through gabbing, Morris donned a long, black curly hair hairpiece he called his “Rick James” wig and walked with the agent to an ATM at the Mercado 6 flea market, where managers had previously agreed to cooperate in the investigation. The agent watched as Morris entered the key sequence that brings up the “Enter Password” screen, and then keyed in the default passcode for the Tranax Mini-Bank.

The code, though, had been changed on this machine, and Morris was thwarted. He allegedly tried two more times, then tried a completely different code before the FBI agents surveilling the scene got impatient and arrested him.

In an interrogation after his arrest, Morris allegedly told the FBI that Martin and “Leo” were the masterminds of the scheme, and he was just there “to help them out” — not knowing that Martin was the one who turned him in, and Leo was a fed.

He also clarified that he’d made up the story about hitting ATMs in other states. The Houston trip was his first attempt at the ATM caper, he said — a claim Threat Level finds convincing.

In addition to the wig he was arrested in, Morris had a false goatee kit, a fake mustache, spirit gum and remover, and several changes of clothes.